"NT Authority" mapping failures
slow at samba.org
Tue Nov 27 17:48:29 UTC 2018
On Tue, Nov 27, 2018 at 09:31:40AM -0800, Jeremy Allison wrote:
>On Tue, Nov 27, 2018 at 06:26:42PM +0100, Ralph Böhme wrote:
>> Hi Jeremy,
>> I came across this ancient gem: :)
>> By chance, do you remember the reasoning for ignoring mapping failures with
>> these two domain?
>Historically we didn't map Creator_Owner_Domain to a valid uid
>(as it should have gotten changed to the creator uid/gid).
>> I'm asking because I just stumbled across that currently mapping users and
>> groups from "NT Authority" fails. I discovered this (though I fainlty
>> remember I ran into this before) when modifying CI to run raw.acls tests
>> against the enhanced vfs_nfs4acl_xattr module.
>> Most test failed because lookupname "NT Authority/Authenticated Users" isn't
>> working. I have a WIP patch to fix this (attached) and while poking around I
>> came across the above commit that paves above such mapping failures in the
>> posix_acls.c code.
>> Thoughts? :)
>It's the conversion of SID->uid/gid for meta-sids that have no POSIX
>meaning that I was avoiding here.
>Didn't want the POSIX ACL set to fail if it couldn't convert
>a SID->uid/gid for an ACE entry that couldn't be represented
>in a POSIX ACE entry.
hm, I guess these days the allocating idmap backend should allocate ids for such
mapping requests, so this works today. At least with my patch
$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
NT AUTHORITY/authenticated users:x:100001:
works and returns a mapping.
>No reason winbindd shouldn't handle them, so long as it doing
>so doesn't break the conversion of Windows ACL -> POSIX ACL.
>That's what I remember :-).
Ok, thanks. Now I just have to figure out why my patch doesn't work in goddam
make test. :)
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical